Troj/FakeAV-GIH

Category:	Viruses and Spyware	Protection available since:	23 Jan 2013 23:52:41 (GMT)
Type:	Trojan	Last Updated:	23 Jan 2013 23:52:41 (GMT)
Prevalence:

Download our free Virus Removal Tool - Find and remove threats your antivirus missed

Examples of Troj/FakeAV-GIH include:

Example 1

File Information

Size: 846K
SHA-1: 19ba84fdcd74c050c5fe6d1fc09e413d9fb335de
MD5: 6dbc5d73198ec1a71341246082b4a85d
CRC-32: c7e1544c
File type: Windows executable
First seen: 2007-07-25

Runtime Analysis

Copies Itself To

c:\Documents and Settings\test user\Local Settings\Temp\dmview.exe
c:\Documents and Settings\test user\Templates\explorer.exe

Dropped Files

c:\Documents and Settings\test user\Templates\spsreng.exe
Size
8.0K
SHA-1
161ce58c5298a4eef28437ce10dedeb3543d52fa
MD5
07f9bf43264060abcd3bb1686b78b66d
CRC-32
8fd4894e
File type
Windows executable
First seen
2012-10-21
C:\WINDOWS\system32\MSDCSC\msdcsc.exe

Registry Keys Created

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Activex Application Updater
c:\Documents and Settings\test user\Templates\spsreng.exe

Registry Keys Modified

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\MSDCSC\msdcsc.exe

Processes Created

c:\Documents and Settings\test user\local settings\temp\dmview.exe
c:\Documents and Settings\test user\templates\explorer.exe
c:\Documents and Settings\test user\templates\spsreng.exe
c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
c:\windows\system32\msdcsc\msdcsc.exe

DNS Requests

mediaupdate.sytes.net

Example 2

File Information

Size: 624K
SHA-1: b594f525ee9438c9df45aa2263a33584aa1c54e9
MD5: 55bf858dcf86c4a5c3b8bfce1ac9d89d
CRC-32: 65b3b4c8
File type: Windows executable
First seen: 2012-10-30

Runtime Analysis

Registry Keys Created

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
iTunes
c:\Documents and Settings\test user\Application Data\persbs.exe
HKCU\Software\Microsoft\Active Setup\Installed Components\{078FF5B2-49D8-6F2F-D2FF-C47DBCFA6B27}
StubPath
c:\Documents and Settings\test user\Application Data\persbs.exe
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
c:\\test_item.exe
c:\\test_item.exe:*:Enabled:Windows Messanger
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
iTunes
c:\Documents and Settings\test user\Application Data\persbs.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{078FF5B2-49D8-6F2F-D2FF-C47DBCFA6B27}
StubPath
c:\Documents and Settings\test user\Application Data\persbs.exe
HKCU\Software\VB and VBA Program Settings\INSTALL\DATE
Z76LBHRDEA
January 23, 2013
HKCU\Software\VB and VBA Program Settings\SrvID\ID
Z76LBHRDEA
Pers
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
iTunes
c:\Documents and Settings\test user\Application Data\persbs.exe

Registry Keys Modified

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
DoNotAllowExceptions
0x00000000

Processes Created

c:\windows\system32\cmd.exe
c:\windows\system32\reg.exe

DNS Requests

1zsecsqasd.no-ip.biz
2zsecsqasd.no-ip.biz
zsecsqasd.no-ip.biz

Example 3

File Information

Size: 846K
SHA-1: e2872813c1f06fb45b4043c8dc14d2b257edb058
MD5: 47c76c750b656d4a21d6d5cd38cb9c25
CRC-32: 3ac53ccb
File type: Windows executable
First seen: 2012-12-15

Runtime Analysis

Copies Itself To

c:\Documents and Settings\test user\Local Settings\Temp\dmview.exe
c:\Documents and Settings\test user\Templates\explorer.exe

Dropped Files

C:\WINDOWS\system32\MSDCSC\msdcsc.exe
c:\Documents and Settings\test user\Templates\spsreng.exe
Size
8.0K
SHA-1
161ce58c5298a4eef28437ce10dedeb3543d52fa
MD5
07f9bf43264060abcd3bb1686b78b66d
CRC-32
8fd4894e
File type
Windows executable
First seen
2012-10-21

Registry Keys Created

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Activex Application Updater
c:\Documents and Settings\test user\Templates\spsreng.exe

Registry Keys Modified

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\MSDCSC\msdcsc.exe

Processes Created

c:\Documents and Settings\test user\local settings\temp\dmview.exe
c:\Documents and Settings\test user\templates\explorer.exe
c:\Documents and Settings\test user\templates\spsreng.exe
c:\windows\microsoft.net\framework\v2.0.50727\applaunch.exe
c:\windows\system32\msdcsc\msdcsc.exe

DNS Requests

mediaupdate.sytes.net

Try Sophos products for free
Download now

Security Goals

INDUSTRIES & SECTORS

COMPANY SIZE

PRODUCT FEATURES

CASE STUDIES

Company Overview

Our People

INNOVATIVE TECHNOLOGY

ALERT SERVICES

Product Features

Product Families

Complete Security

PRODUCTS BY NAME

Free Tools

Next Steps

RESOURCES

FIND AN ANSWER

Support by Product

Maintain your Product

Hire an Expert

WHAT'S POPULAR

THREAT ANALYSIS

THREAT STATISTICS

WHAT'S POPULAR

Threat Definitions

THREAT MONITORING

SECURITY HUBS

LIBRARY

Whats Popular

WHAT'S NEW

Community

IT SECURITY TRAINING

ANATOMY OF AN ATTACK

RESELLER PARTNERS

Managed Service Providers

SYSTEM INTEGRATORS

OEM and Technology

WHAT'S POPULAR

Troj/FakeAV-GIH

Example 1

File Information

Runtime Analysis

Copies Itself To

Dropped Files

Registry Keys Created

Registry Keys Modified

Processes Created

DNS Requests

Example 2

File Information

Runtime Analysis

Registry Keys Created

Registry Keys Modified

Processes Created

DNS Requests

Example 3

File Information

Runtime Analysis

Copies Itself To

Dropped Files

Registry Keys Created

Registry Keys Modified

Processes Created

DNS Requests

Free Mac Anti-Virus

Popular topics